Traditional payments using payment cards can be broadly separated into two categories: those in the physical world and those in the online world. In the online world, using a payment card requires entry of at least the card number, and possibly other aspects of the account such as the expiration date or a card security code. In the physical world these mechanisms are sometimes used, but more often the card is “swiped,” that is, there is some device at the point-of-sale (POS) that reads the card information from the magnetic stripe on the back of the card.
A payment card often has an associated Personal Identification Number (PIN) that serves as an authentication mechanism when the card is used. For example, using a card with an ATM requires providing the card to a card reader in the ATM and entering the PIN into the ATM. In purchase situations, a debit card may be used with or without the debit card's PIN. When the PIN is not used, the transaction is processed as “signature debit.” When the PIN is used, it is processed as “PIN debit.” A PIN debit transaction may have certain advantages for merchants and card issuers, because the PIN debit transaction can typically be processed at a lower cost to the merchant and/or card issuer than a signature transaction. Therefore there is some incentive in the industry to support the use of PINs.
In traditional POS systems there is considerable technology involved in the handling of PINs, in order to ensure their security. There are standard methods of encrypting PINs, and related ways to provide security for encryption keys. For example, traditional POS systems usually provide tamper-proof hardware devices for key protection.
Mechanisms are emerging to enable payments to proceed using a portable platform, e.g., a mobile phone or a portable computing (PC) device, for on line commerce or physical world commerce. In some cases these mechanisms involve manual entry of card information. In others, a small device may be attached to the mobile phone or PC that allows the card to be swiped to read the magnetic stripe. As such, the portable platform may be used as a replacement for the point-of-sale (POS) device for a “signature debit” transaction. However, because the portable payment system consists of commonly available hardware (e.g., phone or PC), using a software payment application, it is not tamper-proof, e.g., traditional POS key storage hardware and/or management mechanisms are not available, and therefore the portable payment platform cannot be used to securely process a transaction as a “PIN debit” transaction.